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The  Defense-Wide  Information  Assurance  Program- 


by  CAPT  J.  Katharine  Burton ,  USN 
Dm  OASD  (C3l)/\A  _ 


The  Department  of  Defense's 
increasing  dependence  on  a 
global  information  environment 
heightens  its  exposure  and  vul¬ 
nerability  to  a  rapidly  growing 
number  of  sophisticated  internal 
and  external  threats.  Globally 
inter-networked  and  interdepen¬ 
dent  information  systems  tend 
to  level  the  playing  field  between 
allies  and  potential  adversaries. 
These  systems  offer  adversaries 
access  to  potentially  low-risk, 
high-value  information  infra¬ 
structure  targets  with  the  poten¬ 
tial  to  impact  the  full  spectrum 
of  DoD  operations.  Further¬ 
more,  with  each  advance  in  in¬ 
formation  technology,  new  vul¬ 
nerabilities  are  created  that 
must  be  quickly  discovered  and 
effectively  neutralized. 


Before  global  networking  be¬ 
came  commonplace,  the  majority 
of  the  Department's  critical  infor¬ 
mation  functions,  both  command 
&  control  and  support,  were  elec¬ 
trically  separated  in  Component- 
managed  telecommunications  and 
information  processing  environ¬ 
ments.  This  separate-system  con¬ 
dition  had  the  advantage  of  provid¬ 
ing  the  Department's  information 
and  information  systems  a  level  of 
resiliency  and  protection,  forcing 
an  adversary  to  attack  each  inde¬ 
pendently  controlled  environ¬ 
ment.  To  seriously  degrade  the  ag¬ 
gregate  capability  of  the  Depart¬ 
ment,  an  adversary  must  disrupt 
or  corrupt  a  large  number  of  criti¬ 
cal  systems  using  highly  sophisti¬ 
cated  (and  largely  unavailable) 
technologies  that  were  expensive 


in  terms  of  both  time  and  money. 

In  contrast,  the  Department's 
reliance  on  commercial,  globally 
interconnected  information  tech¬ 
nologies  has  markedly  heightened 
its  vulnerability  to  attack.  Today's 
inter-networked  information  tech¬ 
nologies  make  it  possible  to  affect 
many  users,  systems,  and  net¬ 
works  by  attacking  a  single  con¬ 
nection  to  a  single  network.  To  at¬ 
tack  a  large  number  of  systems,  an 
adversary  need  only  find  and  at¬ 
tack  a  single  exploitable  connec¬ 
tion  to  the  system.  These  attacks 
can  be  performed  through  the  use 
of  a  large  and  growing  variety  of 
available  and  inexpensive  hacker 
tools.  Once  inside  a  system,  an  ad¬ 
versary  can  exploit  it,  as  well  as  the 
systems  networked  to  it.  This  glob- 


year,  Air  Force  Lt.  Col.  Buzz  Walsh 
and  Maj.  Brad  Ashley  presented  a 
series  of  briefings  to  top  DoD  lead¬ 
ers  that  raised  more  than  just  a  few 
eyebrows. 

Selected  leaders  were  shown 
how  it  was  possible  to  obtain  their 
individual  social  security  num¬ 
bers,  unlisted  home  phone  num¬ 
bers,  and  a  host  of  other  personal 
information  about  themselves 


mi  lies— sim- 
cruising  the 

it. 

n  and  Ash¬ 
ley,  mem¬ 
bers  of  the 
Pentagon's 
iff,  were  not 
}  a  joke  on 
TiBp  ?aders.  Nor 

J  )  ley  trying  to 

be  clever.  Rather  they 
were  dramatically,  and  effectively 
demonstrating  the  ease  of  access¬ 
ing  and  gathering  personal  and 
military  data  on  the  information 
highway  —  information  which,  in 
the  wrong  hands,  could  translate 
into  a  vulnerability. 

"You  don't  need  a  Ph.D.  to  do 
this,"  Walsh  said  about  the  ability  to 
gather  the  information.  "There's  no 


by  Paul  Stone 

American  Forces  information  Servic 

rocket  science  in  this  capability. 
What's  amazing  is  the  ease  and 
speed  and  the  minimal  know-how 
needed.  The  tools  (of  the  Net)  are 
designed  for  you  to  do  this." 

The  concern  over  personal  in¬ 
formation  on  key  DoD  leaders 
began  with  a  simple  inquiry  from 
one  particular  flag  officer  who  said 
he  was  receiving  a  large  number  of 
unsolicited  calls  at  home.  In  addi¬ 
tion  to  having  the  general's  unlist¬ 
ed  number,  the  cal  lers  knew  specif- 
ically  who  he  was. 

Too  Much  About  Too  Much 

Beginning  with  that  one  in¬ 
quiry,  the  Joint  Staff  set  out  to  dis¬ 
cover  just  how  easy  it  is  to  collect 
data  not  only  on  military  person- 
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The  lANewsletter  is  pub¬ 
lished  quarterly  by  the 
Information  Assurance 
Technology  Analysis  Center 
(IATAC).  This  issue  contin¬ 
ues  the  focus  on  current 
information  assurance  ini¬ 
tiatives  underway  within 
DoD,  academia,  and  indus¬ 
try.  In  addition,  an  overview 
of  the  current  collection  of 
Firewall  Tools  is  provided. 

IATAC.  a  DoD-Sponsored 
Information  Analysis  Center 
(IAC),  is  administratively 
managed  by  the  Defense 
Technical  information 
Center  (DTIC)  under  the 
DoD  IAC  Program.  Inquiries 
about  IATAC  capabilities, 
products  and  services  may 
be  addressed  to: 

Robert  Thompson 

Director,  IATAC 

703.902.5530 


We  welcome  your  input! 

To  submit  your  related  arti¬ 
cles,  photos,  notices,  fea¬ 
ture  programs  or  ideas  for 
future  issues,  please  con¬ 
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IATAC 

ATTN:  C.  McNemar 
8283  Greensboro  Dr. 
McLean,  VA  22102 
Phone  703.902.3177 

Fax  703.902.3425 
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E-mail:  iatac@dtic.mil 
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a  I  marriage  of  systems  and  net¬ 
works  has  created  a  shared  risk  en  - 
vironment. 

Any  risk  of  weakness  in  any 
portion  of  the  Defense  Information 
Infrastructure  (Dll)  is  a  serious 
threat  to  the  operational  readiness 
of  all  Components,  The  Depart¬ 
ment  is  moving  aggressively  to  en¬ 
sure  the  continuous  availability,  in¬ 
tegrity,  authentication,  confiden¬ 
tiality,  and  non-repudiation  of  its 
information,  and  the  protection  of 
its  infrastructure.  Recent  assess¬ 
ments,  exercises,  and  real-life 
events  clearly  demonstrate  that 
Defense-wide  improvements  in  In¬ 
formation  Assurance  (IA)  are  an 
absolute  and  continuous  opera¬ 
tional  necessity.  We  can  no  longer 
be  satisfied  with  reactive  or  after- 
the-fact  solutions.  As  the  Depart¬ 
ment  modernizes  its  information 
infrastructure,  it  must  continuous¬ 
ly  invest  in  the  research,  develop¬ 
ment,  and  timely  integration  of 
products,  procedures,  and  training 
necessary  to  sustain  its  ability  to  de¬ 
fend  and  protect  the  infrastructure. 
Providing  for  the  protection  of  the 
Dll  is  among  the  Department's 
highest  priorities  and  is  one  of  its 
most  formidable  challenges. 

The  Department's  I A  objective 
is  to  provide  for  the  availability,  in¬ 
tegrity,  authentication,  confiden¬ 
tiality,  non -repudiation,  and  rapid 
restoration  of  Dl !  mission  essential 
elements.  Critical  to  achieving  this 
objective  is  the  implementation  of 
a  Department-wide  planning  and 
integration  framework.  To  that 
end,  on  January  30  the  Deputy  Sec¬ 
retary  of  Defense,  Dr.  John  J. 
Hamre,  approved  the  creation  of 
the  Defense-wide  Information  As¬ 
surance  Program  (DIAP).  The  rec¬ 
ommendations  of  the  program  are 
the  result  of  several  years  of  effort 
by  the  IA  community,  including: 

•  The  October  9,  1996,  Program 
Decision  Memorandum  1 1  (PDM 
II)  directing  that  an  assessment 
be  conducted  by  the 
Department-wide  Information 
Assurance  Task  Force,  and 

•  The  August-September  1997  I A 
Integrated  Process  Team  (IA 


IPT)  effort  directed  by  a 

Secretary  of  Defense  memoran¬ 
dum  of  August  12, 1997. 

The  recommendations  reflect 
the  Department's  understanding 
that  IA  is  an  operational  readiness 
issue  and  that  its  dependence  on 
inter-networked  systems  and  ser¬ 
vices  creates  a  shared  risk  environ¬ 
ment  necessi¬ 
tating  an  un¬ 
precedented 
level  of  coordi¬ 
nation  and 

unity  across  the 
Department. 

The  DIAP  will 
provide  the 

common  man¬ 
agement  frame¬ 
work  and  cen¬ 
tral  oversight 
necessary  to  en¬ 
sure  the  protec¬ 
tion  and  reliability  of  the  Dll.  While 
planning  and  integration  will  be 
centralized,  execution  of  individual 
Components'  programs  will  re¬ 
main  the  responsibility  of  the  Com¬ 
ponents.  A  culture  that  recognizes 
and  values  IA  must  also  be  built 
among  all  Department  Compo¬ 
nents. 

Accordingly, 
the  DIAP  will 
continuously 
compare  De¬ 
partment's  I A 
programs  and 
functions 
against  its  oper¬ 
ational  and 

business  infor¬ 
mation  require¬ 
ments,  De- 

f e  n  se -  w  i  d  e 
readiness  stan¬ 
dards,  and  threats  to  the  Dll.  The 
DIAP  will  also  infuse  IA  through¬ 
out  its  operations  as  a  fundamen¬ 
tal  element  of  readiness  and  train¬ 
ing.  Operational  readiness  stan¬ 
dards  wi  1 1  be  used  to  assess  the  ad¬ 
equacy  of  the  protection  afforded 
to  the  Department's  data,  infor¬ 
mation  systems,  and  networks, 
and  to  the  entire  Dll.  This  effort 
will  provide  a  comprehensive  and 


real-time  picture  of  all  I A  pro¬ 
grams.  It  will  enable  the  Depart¬ 
ment  to  accurately  develop,  vali¬ 
date,  and  prioritize  IA  require¬ 
ments;  determine  the  return  on 
its  I A  investments;  and  objective¬ 
ly  assess  its  protection  efforts. 

The  DIAP  achieved  initial  oper¬ 
ational  capability  in  June  1998  with 


Figure  1. 

the  assignment  of  the  Staff  Director 
and  other  key  positions.  It  is  in  the 
process  of  achieving  full  opera¬ 
tional  capability  as  staffing  for  the 
various  positions  becomes  avail¬ 
able.  Organizationally,  the  DIAP  re¬ 
ports  to  the  Information  Assurance 
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Figure  2. 

Directorate  of  the  Office  of  the  As¬ 
sistant  Secretary  of  Defense  for  C3I 
(OASD/C3I)  (Figure  1).  The  DIAP 
is  divided  into  two  teams:  the  Func¬ 
tional  Evaluation  and  Integration 
Team  (FEIT)  and  the  Program  De¬ 
velopment  and  Integration  Team 
(PDIT)  (see  Figure  2).  Between 
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Through  Public-Private  Partnership 


As  our  society  speeds  into 
the  Information  Age,  we 
are  growing  increas¬ 
ingly  dependent  on 
a  complex  web  of 
information  sys¬ 
tems  to  manage 
our  lives.  We  use 
computers,  the 
Internet,  and 
other  information 
technologies  to  con¬ 
duct  business,  man¬ 
age  finances,  engage  in 
personal  communications,  and 
process  vast  amounts  of  data. 

This  dependence  on  informa¬ 
tion  systems  also  extends  to  our  Na¬ 
tion's  critical  infrastructures. 
These  infrastructures  (telecommu¬ 
nications,  energy,  banking  and  fi¬ 
nance,  transportation,  and  govern¬ 
ment  operations,  among  others) 
are  the  foundation  of  our  economy, 
national  security,  and  way  of  life; 
virtually  every  citizen  depends  on 
them  everyday.  Technological  ad¬ 
vances  have  made  these  infrastruc¬ 
tures  highly  automated  and  inter¬ 
dependent,  increasing  their  effi¬ 
ciency  and  improving  the  quality 
of  their  services. 

Yet  technological  advances  have 
also  introduced  vulnerabilities  into 
these  infrastructures,  and  more 
people  now  have  the  tools  to  ex¬ 
ploit  them.  For  example,  the  per¬ 
vasiveness  and  easy  accessibility  of 
the  Internet  means  that  anyone 
possessing  the  right  tools  and  tech¬ 
nical  skills  can  penetrate  an  organi¬ 
zation's  information  and  control 
systems  to  steal  data  or  inflict  dam¬ 
age.  Culprits  who  might  commit 
such  acts  include  disgruntled  em¬ 
ployees,  recreational  hackers,  crim¬ 
inal  groups,  terrorist  organizations, 
foreign  intelligence  services,  or 
even  hostile  nations. 

The  National  Infrastructure  Pro¬ 
tection  Center  (NIPC)  was  estab¬ 
lished  in  February  1998  to  address 
infrastructure  threats  and  vulnera¬ 
bilities.  Our  mission  is  to  detect, 
deter,  assess,  warn  of,  respond  to, 
and  investigate  unlawful  acts  (both 
physical  and  cyber)  that  threaten 
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our  critical  infrastructures. 
Located  at  FBI  Head¬ 
quarters  in  Washing¬ 
ton,  D.C.,  the  NIPC 
is  an  interagency, 
publ  ic-private 
body  that  brings 
together  investi¬ 
gators,  analysts, 
computer  scien¬ 
tists,  and  other 
experts  from  gov¬ 
ernment  and  private 
industry. 

The  NIPC  focuses  on  pre¬ 
venting  attacks  (learning  about 
them  before  they  occur)  and  tak¬ 
ing  steps  to  prevent  or  disrupt 
them.  This  effort  requires  collect¬ 
ing  and  analyzing  information 
from  all  available  sources  (includ¬ 
ing  law  enforcement,  intelligence 
services,  open  sources,  and  the 
private  sector)  and  disseminating 
our  analyses  to  all  relevant  orga¬ 
nizations.  If  an  attack  occurs,  the 
NIPC  is  the  Federal  Government's 
focal  point  for  crisis  response  and 
investigation. 

The  NIPC  is  built  on  a  founda¬ 
tion  of  partnership.  When  fully 
staffed,  the  NIPC  will  include  rep¬ 
resentatives  from  the  Federal  Gov¬ 
ernment  (including  the  FBI,  De¬ 
partment  of  Defense,  the  Intelli¬ 
gence  Community,  and  others), 
from  the  owners  and  operators  of 
critical  infrastructures  (to  provide 
expertise  and  to  facilitate  coordina¬ 
tion  in  the  event  of  a  crisis),  and 
from  state  and  local  law  enforce¬ 
ment  (to  build  liaison  relationships 
with  emergency  first  responders). 
The  NIPC  also  will  establish  elec¬ 
tronic  connectivity  to  relevant  or¬ 
ganizations  in  government  and  in¬ 
dustry  that  have  or  require  infor¬ 
mation  about  infrastructure  threats 
and  vulnerabilities. 

The  N I  PC's  success  depends  on 
information  sharing.  We  are  devel¬ 
oping  two-way  channels  of  com¬ 
munication  to  facilitate  informa¬ 
tion  flow  regarding  threats,  vulner¬ 
abilities,  and  incidents  between 
government  and  industry.  The 
Federal  Government  has  access  to 
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intelligence  and  law  enforcement 
information  that  is  unavailable  to 
private  organizations.  Simultane¬ 
ously,  the  NIPC  wants  to  learn 
about  the  threats  and  vulnerabili¬ 
ties  experienced  by  these  organiza¬ 
tions.  Sharing  this  important  infor¬ 
mation  will  help  us  to  define  the 
threat  environment  with  greater 
accuracy,  thereby  enabling  us  to 
prevent  or  disrupt  potential  attacks. 

One  current  initiative  is  "Infra¬ 
Gard/'  a  pilot  project  sponsored  by 
the  FBI's  Cleveland  Field  Office  to 
foster  information  sharing  among 
private  industry,  the  FBI,  and  other 
government  agencies.  A  secure, 
Internet-based  system,  InfraGard 
has  an  alert  network  that  members 
can  use  to  report  computer  intru¬ 
sions  to  the  FBI.  Reports  are  sent 
by  encrypted  electronic  mail  (e- 
mail)  in  two  forms:  a  detailed  de¬ 
scription  (which  the  FBI  uses  for 
analysis  and,  if  required,  investiga¬ 
tive  purposes)  and  a  sanitized,  vic¬ 
tim-produced  version  (for  distribu¬ 
tion  to  other  InfraGard  members). 
Approximately  56  organizations 
are  now  involved  in  the  InfraGard 
project,  and  we  are  exploring  op¬ 
tions  for  expanding  it  into  a  nation¬ 
al  system. 

Protecting  our  critical  infrastruc¬ 
tures  in  the  Information  Age  will 
require  creative  solutions  and  new 
ways  of  thinking.  Establishing  the 
NIPC  and  developing  a  productive 
partnership  between  government 
and  industry  are  important  steps  in 
this  direction.  Much  work  remains 
to  be  done,  but  we  look  forward  to 
working  with  our  partners  as  we 
confront  the  challenges  ahead. 


Kenneth  Geide  is  Chief  of  the  FBIs 
Computer  Investigations  and  Operations 
Section  (CIOS).  National  Infrastructure 
Pmfection  Center  (NIPC).  A  k  Geide  initi¬ 
ated  the  FBI's  Economic  CounteilntdlJ 
gence  program  and  was  instrumental  in 
drafting  and  achieving  the  passage  of  the 
Economic  Espionage  Act  of  1996.  He 
received  his  Bachelors  Degtve  from  the 
University  of  San  Francisco  and  his 
Masters  Degree  fivm  New  York 
University. 
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nel,  but  the  military  in  general. 
They  used  personal  computers  at 
home,  used  no  privileged  informa¬ 
tion  -  not  even  a  DoD  phone  book  - 
and  did  not  use  any  on-line  ser¬ 
vices  that  perform  investigative 
searches  for  a  fee. 

In  less  than  five  minutes  on  the 
Net,  Ashley,  starting  with  only  the 
general's  name,  was  able  to  extract 
his  complete  address,  unlisted 
phone  number,  and  using  a  map 
search  engine,  build  a  map  and  dri¬ 
ving  directions  to  his  house. 

Using  the  same  techniques  and 
Internet  search  engines,  they  visit¬ 
ed  various  military  and  military-re¬ 
lated  web  sites  to  see  how  much 
and  the  types  of  data  they  could 
gather.  What  they  discovered  was 
too  much  about  too  much,  and 
seemingly  too  little  concern  about 
the  free  flow  of  information  versus 
what  the  public  needs  to  know. 

For  example,  one  web  site  for  a 
European-based  installation  pro¬ 
vided  more  than  enough  informa¬ 
tion  for  a  potential  adversary  to 
learn  about  its  mission  and  to  pos¬ 
sibly  craft  an  attack.  Indeed,  the 
web  site  contained  an  aerial  pho¬ 
tograph  of  the  buildings  in  which 
the  communication  capabilities 
and  equipment  were  housed.  By 
pointing  and  clicking  on  any  of  the 
buildings,  a  web  surfer  would 
learn  the  name  of  the  communi¬ 
cations  system  housed  in  the 
building  and  its  purpose. 

"DATAMINING"  MADE  EASY 

Taking  their  quest  for  easi  ly  ac¬ 
cessible  information  one  step  fur¬ 
ther,  the  Joint  Staff  decided  to  see 
how  much  information  could  be 
collected  just  by  typing  a  military 
system  acronym  into  an  Internet 
search  engine.  While  not  everyone 
would  be  familiar  with  defense-re¬ 
lated  acronyms,  many  of  them  are 
now  batted  around  the  airwaves 
on  talk  shows  and  on  the  Internet 
in  military-related  chat  rooms. 
They  soon  discovered  how  easy  it 
was  to  obtain  information  on  al¬ 
most  any  topic,  with  one  web  site 
hyper-linking  them  to  another  on 
the  same  topic. 


What  the  Joint  Staff  was  doing 
when  they  collected  their  informa¬ 
tion  is  commonly  called  "data  min¬ 
ing" —  surfing  the  Net  to  collect  bits 
of  information  on  individuals,  spe¬ 
cific  topics  or  organizations,  and 
then  trying  to  piece  together  a  com¬ 
plete  picture.  Individuals  do  it,  or¬ 
ganizations  do  it  and  some  compa¬ 
nies  do  it  for  profit. 

While  the  information  they  dis¬ 
covered  presented  legitimate  con¬ 
cerns,  it  wasn't  all  negative.  The 
Army's  Ft.  Belvoir,  Va.,  home  page 
was  cited  as  one  example  of  a  web 
site  which  served  the  needs  of  both 
the  military  and  the  public.  It  had 
the  sort  of  information  families  or 
interested  members  of  the  public 
need  and  should  get. 

So  what  does  all  this  mean?  Is 
DoD  creating  individual  and  insti¬ 
tutional  security  problems?  In  the 
rush  to  make  information  available 
to  the  internal  audience,  is  too 
much  being  made  available  to  the 
public  and  those  who  might  want 
to  inflict  harm? 

The  Joint  Staff  doesn't  pretend 
to  have  all  the  answers  to  these 
questions,  but  is  encouraging 
users  to  think  about  these  issues 
whenever  they  put  information  on 
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the  Internet;  and  they  believe  that, 
in  some  cases,  DoD  is  it's  own 
worst  enemy. 

Need  To  Know  vs  Right  Too  Know 

Michael  J.  White,  DoD's  assis¬ 
tant  director  for  security  counter¬ 
measures,  agrees  with  the  Joint 
Staff  analysis.  Moreover,  as  a  secu¬ 
rity  expert,  he  is  concerned  DoD 
does  indeed  exceed  what  needs  to 
be  on  the  Internet. 

"For  fear  of  not  telling  our  story 
well  enough,  we  have  told  too 
much,"  he  said.  "Personally,  I 
think  there's  too  much  out 
there... and  you  need  to  stop  and 
ask  the  question:  Does  this  next 
paragraph  really  need  to  be  there, 
or  can  !  extract  enough  or  abstract 
enough  so  that  the  intent  is  there 
without  the  specificity?  And  that  is 
hard  to  do  because  we  are  pressed 
every  day.  So  sometimes  expedi¬ 
ency  gets  ahead  of  pausing  for  a 
minute  and  thinking  through  the 
process:  Does  the  data  really  need 
to  be  there?  Is  it  going  to  hurt  me 
tomorrow  morn  i  ng? 

DoD's  policy  on  releasing  infor¬ 
mation  to  the  public,  as  spelled  out 
by  Defense  Secretary  William 
Cohen  in  April  1997,  requires  DoD 
"to  make  available  timely  and  accu¬ 
rate  information  so  that  the  public, 
Congress  and  the  news  media  may 
assess  and  understand  the  facts 
about  national  security  and  de¬ 
fense  strategy."  The  same  state¬ 
ment  requires  that  "information  be 
withheld  only  when  disclosure 
would  adversely  affect  national  se¬ 
curity  or  threaten  the  men  and 
women  of  the  Armed  Forces." 

"On  the  one  hand,"  Ashley  said, 
"we  have  fast,  cheap  and  easy  glob¬ 
al  communication  and  coordina¬ 
tion.  On  the  other  hand,  we  find 
ourselves  protecting  official  infor¬ 
mation  and  essential  elements  of 
information  against  point-and-click 
aggregation.  Clearly,  this  balancing 
act  is  a  function  of  risk  manage¬ 
ment.  Full  openness  and  full  pro¬ 
tection  are  equally  bad  answers.  We 
have  a  serious  education,  training 
and  awareness  issue  that  needs  to 
be  addressed." 
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The  Joint  Staff  repeatedly  re¬ 
turns  to  the  issue  of  "point-and- 
click  aggregation"  as  a  problem  that 
is  often  overlooked  when  military 
personnel  and  organizations  place 
data  on  the  Internet.  What  they're 
referring  to  is  the  ability  to  collect 
bits  of  information  from  several  dif¬ 
ferent  web  sites  to  compile  a  more 
complete  picture  of  an  individual, 
issue  or  organization  with  very  lit¬ 
tle  effort. 

"The  biggest  mistake  people 
make  is  they  don't  understand  how 
easy  it  is  to  aggregate  information," 
Walsh  said. 

The  lesson  from  this  is  that  even 
though  what  is  posted  on  the  Net  is 
perfectly  innocent  in  and  by  itself, 
when  combined  with  other  existing 
information,  a  larger  and  more 
complete  picture  might  be  put  to¬ 
gether  that  was  neither  intended 
nor  desired. 

A  more  obvious  problem,  yet 
still  one  not  always  considered 
when  posting  information  on  the 
Internet,  is  that  the  "www"  in  web 
site  addresses  stands  for  "world 
wide"  web.  Information  posted 
may  be  intended  only  for  an  inter¬ 
nal  audience  -  perhaps  even  a  very 
small  and  very  specific  group  of 
people.  But  on  the  Net,  it's  available 
to  the  world. 

This,  security  experts  agree,  is 
an  enormous  change  from  the  time 
when  foreign  intelligence  gather¬ 
ing  was  extremely  labor  intensive 
and  could  only  be  done  effectively 
on  U.S.  soil. 

"If  I'm  a  bad  guy,  I  can  sit  back 
in  the  security  of  my  homeland 
and  spend  years  looking  for  a  vul¬ 
nerability  before  I  decide  to  take  a 
risk  and  commit  resources,"  Ashley 
said.  "I'm  at  absolutely  no  risk  by 
doing  that.  I  can  pick  out  the  most 
lucrative  targets  before  hand,  and 
may  even  just  bookmark  those  tar¬ 
gets  for  future  use.  V\fe  won't  know 
something  has  been  compromised 
until  it's  too  late." 

White  agrees  with  the  Joint 
Staffs  concern.  "You  can  sit  in  Ger¬ 
many  and  have  access  to  the  Unit¬ 
ed  Statesjust  as  easily  as  you  can  in 
Australia  or  the  People's  Republic 
of  China  or  Chile,"  White  said.  "It 
doesn't  matter  where  you  are.  You 


can  go  back  and  forth  and  in  be¬ 
tween  and  lose  your  identity  on  the 
net  instantaneously.  Those  who 
seek  to  use  the  system  feel  com¬ 
fortable  they  won't  be  discovered." 

FOUO  Means  FOUO 

In  addition  to  these  issues,  secu¬ 
rity  experts  see  another  recurring 
and  disturbing  problem.  In  the 
rush  to  take  advantage  of  the  Net's 
timeliness  and  distribution  capabil¬ 
ities,  military  personnel  are  forget¬ 
ting  about  or  ignoring  the  For  Offi¬ 
cial  Use  Only  policies  which  previ¬ 
ously  made  the  information  more 
difficult  to  obtain.  Yet  anyone  using 
the  Internet  doesn't  have  to  ven¬ 
ture  far  into  the  array  of  military 
web  sites  to  come  across  one  which 

"We  have  a  serious 
education,  training 
and  awareness  issue 
that  needs  to  lie 
addressed." 

states:  "For  Official  Use  Only." 

If  the  information  is  For  Official 
Use  Only,  security  experts  said  web 
site  developers,  managers  and 
commanders  must  ask  themselves 
whether  the  information  should  be 
there  in  the  first  place. 

While  officials  are  most  con¬ 
cerned  about  the  information 
being  placed  on  military  web 
sites,  they  had  similar  warnings 
about  individual  or  family  web 
sites.  The  Joint  Staff  recommends 
the  same  precautions  should 
apply  at  home,  especially  as  per¬ 
sonnel  move  into  high-ranking, 
key  leadership  positions. 

ITS  A  COMMANDER'S  ISSUE 

At  a  time  when  the  flow  of  in¬ 
formation  is  beyond  anyone's  capa¬ 
bility  to  either  digest  it  or  control  its 
direction,  it's  not  likely  the  prob¬ 
lems  brought  forward  recently  by 
the  Joint  Staff  will  be  solved  any 
time  soon.  The  first  step,  security 
experts  said,  is  awareness  the  prob¬ 
lems  exist.  Commanders  have  to 


understand  not  just  the  informa¬ 
tion  capabilities  of  the  world  wide 
web,  but  the  information  vulnera¬ 
bilities  as  well. 

The  second  step,  \Na\sft  pointed 
out,  is  for  commanders  to  become 
actively  involved  in  the  issue  of 
what's  being  put  on  the  Internet. 
Current  DoD  policies  require  that 
local  commander,  public  affairs 
and  security  reviews  prior  to  re¬ 
lease  of  data  on  web  pages.  But  the 
flow  of  information  is  so  great, 
these  reviews  may  not  be  occur¬ 
ring  and  few  are  looking  at  the  ag¬ 
gregation  problem. 

"I  think  it  would  be  very  appro¬ 
priate  for  a  public  affairs  officer  to 
be  the  commander's  lead  represen¬ 
tative,"  Walsh  said.  "But  it's  a  com¬ 
mander's  issue  and  it  should  go 
down  command  lines.  This  is  cer¬ 
tainly  an  operational  security  issue. 
Just  like  operational  security  is 
everybody's  business,  this  ultimate¬ 
ly  is  everyone's  responsibility." 

White  concurred  and  recom¬ 
mends  installations  create  "securi¬ 
ty-integrated  product  teams"  which 
would  be  tasked  to  develop  and  im¬ 
plement  guidelines  for  creating  and 
monitoring  web  sites  on  the  instal¬ 
lation. 

"I  think  having  a  group  come 
together  before  the  (web  site  de¬ 
velopment)  process  begins  will  re¬ 
move  an  awful  lot  of  pain  in  the 
long  run,"  White  said.  "We  need  to 
step  back  one  step  and  think  be¬ 
fore  we  begin  any  effort,  because 
once  it's  done  you  can't  undo  it. 
That  makes  it  very  hard  in  a  digi¬ 
tal  environment." 

Although  it's  not  possible  to  re¬ 
trieve  what's  already  on  the  world¬ 
wide  web,  nor  predict  how  it  will  in¬ 
fluence  future  security  issues, 
VWlsh,  Ashley  and  White  believe 
it's  not  too  late  to  make  a  differ¬ 
ence.  With  a  little  more  forethought 
and  a  lot  more  planning,  it  will  be 
possible  to  better  protect  the  next 
generation  of  warfighters,  both  on 
and  off  the  battlefield,  they  said. 

Previously  released  September  25. 
1998  via  DefenseLink.  from  die  American 
Ferns  Information  Service  News  Articles. 
Downloadable  version  is  available  at 
lmp://\\'cbsccuriiv.  ads.  osd.  t  nil. 
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Intrusion  Detection  System  Evaluation 


The  Information  Systems  Tech¬ 
nology  Group  of  MIT  Lincoln  Lab¬ 
oratory,  under  Defense  Advanced 
Research  Projects  Agency  Informa¬ 
tion  Technology  Office  (DARPA/ 

I  TO)  and  Air  Force  Research  Labo¬ 
ratory  (AFRL/SNHS)  sponsorship, 
is  collecting  and  distributing  the 
first  standard  corpus  for  evaluating 
computer  network  intrusion  detec¬ 
tion  systems.  Along  with 
AFRL/SNHS,  we  are  also  coordi¬ 
nating  the  first  formal,  repeatable, 
and  statistically  significant  evalua¬ 
tion  of  intrusion  detection  systems. 
This  evaluation  will  measure  prob¬ 
ability  of  detection  and  probability 
of  false  alarm  for  each  system 
under  test. 

This  evaluation  will  contribute 
significantly  to  the  intrusion  de¬ 
tection  research  field  by  providing 
direction  for  research  efforts  by 
objectively  calibrating  current 
technology.  The  evaluation  is  de¬ 
signed  to  be  simple,  to  focus  on 
core  technology  issues,  and  to  en¬ 
courage  wide  participation.  We 
have  tried  to  eliminate  security 
and  privacy  concerns,  and  we  are 
providing  data  types  that  are  used 
commonly  by  the  majority  of  in¬ 
trusion  detection  systems. 

Technical  Objective 

The  evaluation  objectively  mea¬ 
sures  intrusion  detection  systems' 
ability  to  detect  attacks  on  comput¬ 
er  systems  and  networks.  The  eval¬ 
uation  focuses  on  UNIX  worksta¬ 
tions,  and  the  goal  is  to  determine 
whether  any  of  the  following  attack 
events  occurred  or  were  attempted 
during  a  given  network  session: 

•  Denial  of  service; 

•  Unauthorized  access  from  a 

remote  machine; 

•  Unauthorized  access  to  local 

superuser  privileges  by  a  local 

unprivileged  user; 

•  Surveillance  and  probing;  and 

•  Anomalous  user  behavior. 

Network  sessions  used  for  scor¬ 
ing  the  evaluation  are  complete 
TCP/IP  connections,  which  corre¬ 
spond  to  interactions  using  many 


services  including  telnet,  HTTP 
SMTP,  FTP,  finger,  rlogin,  and  oth¬ 
ers.  Because  the  evaluation  is  based 
on  the  context  of  normal  computer 
use  on  a  military  base,  the  frequen¬ 
cy  and  character  of  the  network 
sessions  generated  for  each  of  these 
services  reflect  their  actual  usage  at 
Air  Force  bases  worldwide.  The 


evaluation  is  designed  to  foster  re¬ 
search  progress,  with  the  following 
four  goals: 

1.  Explore  promising  new  ideas  in 
intrusion  detection; 

2.  Develop  advanced  technology 
incorporating  these  ideas; 

3.  Measure  the  performance  of  this 
technology;  and 

4.  Compare  the  performance  of 
various  newly  developed  and 
existing  systems  in  a  systematic, 
careful  way. 

Previous  evaluations  of  intru¬ 
sion  detection  systems  have  tended 
to  focus  exclusively  on  the  proba¬ 
bility  of  detection,  without  regard  to 
probability  of  false  alarm.  By  em¬ 
bedding  attack  sessions  within  nor- 
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mal  background  traffic  sessions, 
the  current  evaluation  will  allow  us 
to  measure  both  detection  and  false 
alarm  rates  simultaneously. 

Data  and  Guidelines 

Before  the  evaluation  begins, 
seven  weeks  of  training  data  will  be 
made  available  to  the  participants. 


These  data  will  be  used  to  config¬ 
ure  intrusion  detection  systems 
and  train  free  parameters.  General¬ 
ly,  the  types  of  training  data  pro¬ 
vided  will  be  those  that  are  used  by 
most  current  commercial  and  re¬ 
search  intrusion  detection  systems, 
e.g.,  network  packet  traffic,  host 
audit  files,  and  file  system  dumps. 
These  data  will  be  labeled  individu¬ 
ally  as  either  normal  or 
attack/anomalous.  Later,  a  set  of 
test  data  will  be  made  available. 
Evaluation  participants  will  run 
their  systems  blindly  over  the  test 
data  and  will  submit  the  system 
hypotheses  for  scoring. 

Both  the  training  and  the  testing 
data  will  be  extracted  from  a  si  mu- 


Simulation  Network 


Figure  1.  The  Lincoln  simulation  network  is  used  to  generate  traffic  for  the 
DARPA  1998  evaluation .  The  network  has  an  “inside.”  which  represents  a 
military  base,  and  an  'outside,  ” which  represents  the  internet  1  hough  the  net¬ 
work  contains  only  10  computers ,  it  is  capable  of  producing  traffic  from  thou¬ 
sands  of  simulated  computers  and  hundreds  of  simulated  users. 
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lation  network  of  about  a  dozen 
workstations  (see  Figure  1  on  op- 
posite  page).  With  kernel  modifica¬ 
tions  made  available  by 
AFRL/SNHS  and  other  custom 
software,  these  few  workstations 
can  emulate  thousands  of  worksta¬ 
tions  with  hundreds  of  users.  Both 
normal  use  and  attack  sessions  will 
be  present.  Distributions  of  normal 
session  types  and  norma!  session 
content  will  be  similar  to  that  on 
military  bases.  Attack  sessions  will 
contain  old,  recent,  and  new  at¬ 
tacks.  Most  network  sessions  are 
run  automatically,  while  a  small 
number  of  sessions  are  generated 
by  live  users.  Seven  weeks  of  net¬ 
work  traffic  are  available  for  train¬ 
ing,  and  another  two  weeks  will  be 
used  for  evaluation.  In  all,  the  eval¬ 
uation  corpus  will  contain  millions 
of  network  connections. 

There  are  two  parts  to  the  in¬ 
trusion  detection  evaluation.  The 
first  part  is  an  off-line  evaluation. 
Network  traffic  and  audit  logs  col¬ 
lected  on  a  simulation  network 
will  serve  as  input  to  intrusion  de¬ 
tection  systems  under  test.  These 
systems  will  process  data  in  batch 
mode,  trying  to  find  the  attack  ses¬ 
sions  in  the  midst  of  normal  activ¬ 
ity.  The  second  part  of  the  evalua¬ 
tion  is  conducted  in  real-time.  Sys¬ 
tems  will  be  delivered  to 


AFRL/SNHS  and  inserted  into 
their  network  testbed.  Again,  the 
job  of  the  detection  system  is  to 
find  the  attack  sessions  in  the 
midst  of  normal  background  activ¬ 
ity.  Some  systems  may  be  tested 
in  off-line  mode,  some  in  real-time 
mode,  and  some  in  both  modes. 

Schedule 

Data  for  this  first  evaluation  will 
be  made  available  during  the  fall 
of  1998.  The  evaluation  itself  will 
occur  in  October  and  November.  A 
follow-up  meeting  for  evaluation 
participants  and  other  interested 
parties  will  be  held  in  December 
to  discuss  research  findings.  All 
R&D  sites  that  find  the  task  and 
the  evaluation  of  interest  are  invit¬ 
ed  to  participate. 

For  more  information  or  to  re¬ 
quest  copies  of  the  training  corpus, 
contact: 

Dr.  Marc  A.  Zissman  or 
Dr.  Richard  P.  Lippmann 
Lincoln  Laboratory 
Massachusetts  Institute  of  Technol¬ 
ogy,  Information  Systems 
Technology  Group 
244  Wood  Street 
Lexington,  MA  02420-9185 
Voice:  781.981.7625 
Fax:  781.981.0186 

Email:  INTRUSION@SST.LL.MIT.EDU 
HTTPV/WWW.LL.MIT.EDU/IST/ 


them,  these  two  teams  accomplish 
the  overall  mission,  tasks,  and  func¬ 
tions  of  the  DlAP  and  are  staffed  by 
a  combination  of  Service,  Joint 
Staff,  OSD,  and  Defense  Agency 
personnel.  The  FEIT  consists  of 
eight  functional  areas,  including 
Readiness  Assessment,  Human  Re¬ 
sources  Development,  Operational 
Policy  and  Doctrine  Implementa¬ 
tion,  Security  Management,  Opera¬ 
tional  Monitoring,  Architectural 
Standards  and  System  Transforma¬ 
tion,  Acquisition  and  Product  De¬ 
velopment,  and  Research  and 
Technology.  These  team  members 
are  the  DIAP's  principal  evaluators 
for  each  functional  area  and  will 
continuously  evaluate  Component 
I A  programs  to  ensure  the  Defense¬ 
wide  application  of  these  functions 
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is  consistent,  integrated,  efficient, 
and  programatically  supported. 
The  PD  IT  will  provide  for  the  over¬ 
sight,  coordination,  and  integration 
of  the  Department's  I A  resource 
programs.  The  sum  total  of  these 
activities  will  ensure  the  Depart¬ 
ment's  I A  operational  capabilities 
to  protect,  detect,  and  respond  are 
appropriately  met. 

The  transformation  of  I A  from  a 
largely  technical  issue  to  an  opera¬ 
tional  imperative  is  critical  to  suc¬ 
cess  of  the  Department's  I A  strate¬ 
gy.  The  DlAP  constitutes  a  signifi¬ 
cant  management,  organizational, 
and  cultural  change  within  the  De¬ 
partment.  It  will  ensure  that  the 
Department's  IA  programs  extend 
beyond  traditional  Service  and 
Agency  perspectives  to  meet  the 


For  specific  information  on  the 
real-time  evaluation,  contact: 
Terrence  (Terry)  G.  Champion  Air 
Force  Research  Laboratory 
Electromagnetics  Technology  Divi¬ 
sion  ,  INFOSEC  Technology  Office, 
Building  1124 

Hanscom  AFB,  MA  01731-5000 
Voice:  781.377.2068 
Fax:  781.377.2563 

Email:  TGC@SAPPHO.RL.AF.MIL 

Marc  A.  Zissman  recetoxl  the  SB. 
degive  in  computer  science  from  MI  T  in 

1985,  and  the  S.B. .  S.M.,  and  Phi),  degives 
in  ehirical  engineering  ail  fmm  Mil '  In 

1986,  1986.  and  1990,  ivsjxeih'dv.  Ho  is 
presently  assistant  leader  of  the  Information 
Systems  Technology  Group  at  MIT  Lincoln 
Lalxrratoty  where  his  research  focuses  on 
digital  speech  pmaessing  and  computer  net¬ 
work  security.  He  may  be  reached  at 
MAZGfSSTLL.hfrr.EDU, 

Richard  R  Lippmann  received  a  B.S.  In 
elect  ileal  engineering  (run  the  Polytechnic 
Institute  of  Brooklyn  in  1970  and  a  PhD.  in 
electrical  engirreringfiuv  the  Massachusetts 
Instil!  ne  ofTlxhnokigv  in  1978.  He  is  present - 
Iv  a  senior  staff' member  in  tic  fnfomiatkni 
Systems  Ikhnokgv  Group  at  MIT  Lincoln 
Lalxratoiy,  where  his  research  lavses  on 
speech  imgnkion  and  the  application  of 
neural  network s  and  statistics  to  problems  in 
computer  intrusion  detection.  He  may  hr 
reached  at  RPLGSmLMF.EDU. 


growing  challenges  of  a  dynamic, 
global  information  environment. 
Through  this  process,  the  Depart¬ 
ment  will  be  able  to  leverage  infor¬ 
mation  and  information  technolo¬ 
gy  to  enhance  the  efficiency  of  its 
business  activities  and  the  impact 
of  its  military  operations. 

CAFF  Burton  received  her  M.S.  in 
National  Security  Strategy  from  the 
National  liar  College  and  her  MA.  in 
Management  Information  5’j  stems  from 
Gauge  Washington  University .  She  is  cur¬ 
rently  assigned  as  the  Staff  Director. 
Defense-  Wide  Information  Assurance 
Program  (DlAP).  in  the  Information 
Assurance  Directorate  of  the  Office  of  the 
Assistant  Secretary  of  Defense  for 
Command,  Control.  Communication  and 
Intelligence. 
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The IATAC 

Information 
Assurance  Tools 
Database  hosts 
information  on 
intrustion  detec  - 
tion,  vulnerabil  - 
ity  analysis, 
firewalls  and 
antivirus  appli  - 
cations.  A  brief 
summary  of 

FIREWALL 
TOOLS  is  pro¬ 
vided  on  these 
two  pages.  For 
more  informa  - 
tion,  see  the 
IATAC  Product 
Order  Form  on 
page  15. 


TITLE 

COMPANY 

KEYWORDS 

URL 

AltaVista 

Digital  Internet 

Firewall,  Application-Level 

http://www.altavista.software. 

Firewall  98 

Solutions 

Gateway,  VPN 

digital.com 

AS/400 

IBM,  Inc. 

Firewall,  Application  Gateway, 

Packet  Filtering 

http://www.ibm.com 

Border 

Manager 

Novell,  Inc. 

Firewall,  Packet  Filtering, 
Circuit-Level  Gateways, 
Application-Level  Gateways 
(Proxies),  NAT,  VPN 

http://www.novell.com 

BorderWare 

Firewall 

Server 

BorderWare 
Technologies,  Inc. 

Firewall;  Tri-Level:  Packet 

Filtering,  Circuit-Level  Gateways, 
and  Application  Proxies;  NAT,  VPN 

http://www.borderware.com 

Brimstone/ 

Freestone 

SOS  Corporation 

Firewall,  Hybrid 

http://www.soscorp.com 

Checkpoint 

Firewall-1 

Check  Point 

Firewall,  Stateful  Inspection, 

Proxies,  NAT,  VPN 

http://www.checkpoint.com 

cIPro-FW 

Radguard 

Firewall,  Multi-Layer  Probing 
(MLP),  NAT,  VPN 

http://www.radguard.com 

ConSeal 

PC  Firewall 

Signal  9  Solutions 

Firewall,  Packet  Filtering, 

NAT,  VPN 

http://www.signal9.com 

CyberGuard 
for  NT 

CyberGuard 

Corporation 

Firewall,  Hybrid,  NAT 

http://www.cyberguard  .com 

CyberGuard 
for  UnixWare 

CyberGuard 

Corporation 

Firewall,  Hybrid,  NAT 

http://www.cyberguard.com 

Elron  Firewall 

Elron  Software,  Inc. 

Firewall,  Stateful  Inspection, 

NAT,  VPN 

http://www.elronsoftware.com 

eNetwork  for 

AIX/ Windows  N1 

IBM,  Inc. 

Firewall,  Hybrid,  NAT,  VPN 

http://www.ibm.com 

Firebox  100/ 
Firebox  II 

WatchGuard 
Technologies,  Inc 

Firewall,  Stateful  Packet  Filtering, 
Transparent  Proxies,  NAT,  VPN 

http://www.watchguard.com 

Firewall  for 
Windows  NT 

Secure  Computing 

Firewall,  Application  Gateway 
(Proxies) 

http://www.elronsoftware.com 

Gauntlet 

Trusted 

Information  Systems 

Firewall,  Application  Gateway,  VPN 

http://www.tis.com 

GemGuard 

Gemini  Computers 

Firewall,  Trusted  Packet 

Filtering,  VPN 

http://www.geminisecure.com 

GNAT  Box 

Global  Technology 

Firewall,  Stateful  Packet  Inspection, 
Application  Techniques,  NAT 

http://www.gnatbox.com 

Guardian 

NetGuard,  Ltd. 

Firewall,  Stateful  Inspection, 

NAT,  VPN 

http://www.ntguard.com 

Guardlt 

Computer 

Associates 

Firewall,  Hybrid,  NAT 

http://www.cai.com 

He@tSeekerPro 

Fortress 

Technologies 

Firewall,  Packet  Filtering 

http://www.fortresstech  .com 

ICE.BLOCK 

J.  River,  Inc. 

Firewall,  Packet  Filtering 

http://www.jriver.com 

Interceptor 

Technologic,  Inc. 

Firewall,  Application  Proxies,  VPN 

http://www.tlogic.com 
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TITLE 

COMPANY 

KEYWORDS 

URL 

Interlock 

Service 

WorldCom 

Advanced  Networks 

Firewall,  Application-Level  Proxy 

http://www.ans.net 

IOS  Firewall 
Feature  Set 

Cisco  Systems 

Firewall,  Packet  Filtering, 

NAT,  VPN 

http://www.cisco.com 

Lucent 

Managed  Firewall 

Lucent 

Technologies,  Inc. 

Firewall,  Packet  Filtering 

http://www.lucent.com 

LuciGate 

Lucidata 

Firewall,  Packet  Filtering,  NAT 

http://www.lucidata.com 

NetGate 

Small  Works,  Inc. 

Firewall,  Packet  Filtering  and 

Routing  Package,  VPN 

http://www.smallworks.com 

NetScreen-100/ 

NetScreen-10 

NetScreen 

Technologies 

Firewall,  Dynamic  Filter,  NAT 

http://www.netscreen.com 

Norman 

Firewall 

Norman  Data 
Defense 

Firewall,  Dual-homed  Gateway, 
Application  Proxies,  NAT 

http://www.norman.com 

PIX 

Cisco  Systems 

Firewall,  Hybrid,  NAT 

http://www.cisco.com 

PORTUS-ES 

Livermore  Software 
Laboratories 

Firewall,  Proxies,  NAT,  VPN 

http://www.lsli.com 

PrivateWire 

Cylink  Corporation 

Firewall,  Dynamic  Packet 

Filtering,  VPN 

http://www.cylink.com 

PyroWall 

Radguard 

Firewall,  Multi-Layer  Probing 
(MLP),  NAT,  VPN 

http://www.radguard.com 

Raptor  for  NT 

Axent 

Technologies 

Firewall,  Hybrid  (Application-level 
proxies,  Packet  Filtering),  NAT,  VPN 

http://www.axent.com 

Raptor  for 

Solaris 

Axent 

Technologies 

Firewall,  Hybrid  (Application-level 
proxies,  Packet  Filtering),  NAT,  VPN 

http://www.axent.com 

Secure  Access 

Ascend 

Firewall,  Hybrid,  VPN 

http://www.ascend.com 

SecurIT  Firewall 
for  Solaris 

Milkyway  Networks 

Firewall,  Application  and  Circuit 

Level  Gateway,  Proxy  Servers 

http://www.milkyway.com 

SecurIT  Firewall 
for  Windows  NT 

Milkyway  Networks 

Firewall,  Application  and  Circuit 

Level  Gateway,  Proxy  Servers 

http://www.milkyway.com 

Secu  reWare 
NetWall 

Bull  HN  Information 
Systems 

Firewall,  Hybrid,  NAT,  VPN 

http://www.bull.com 

Sidewinder 

Secure  Computing 

Firewall,  Application  Gateway 
(Proxies),  VPN 

http://www.securecomputing.com 

SmartWall 

V-ONE  Corporation 

Firewall,  Packet  Filtering, 

Proxies,  NAT,  VPN 

http://www.v-one.com 

Solstice 

Firewall-1 

Sun  Microsystems 

Firewall,  Stateful  Inspection,  VPN 

http://www.sun.com/security 

SonicWALL 

Sonic  Systems,  Inc. 

Firewall,  Stateful  Inspection,  NAT 

http://www.sonicsys.com 

StoneBeat 

Stonesoft 

Corporation 

Firewall,  High  Availability 

http://www.stonebeat.com 

Telaxian  Shield 
Firewall  Server 

Network 

Engineering 

Firewall,  Hybrid,  NAT,  VPN 

http://www.fireants.com 

WinGate 

Deerfield  Com¬ 
munications,  Inc. 

Firewall,  Proxy  server 

http://www.deerfield.net 
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Across  Multiple  Domains 


In  the  national  defense  arena, 
most  analysts  pay  little  attention 
to  the  isolated  cases  of  computer 
intrusions  reported  almost  weekly 
in  the  news.  If  analysts  became 
aware  of  a  pattern  of  attacks  di¬ 
rected  at  a  variety  of  networks 
and  domains,  however,  this  infor¬ 
mation  might  well  warrant  height¬ 
ened  attention.  Our  research  ef¬ 
forts  at  the  University  of  Idaho  are 
directed  in  part  at  developing  a 
prototype  to  supply  multiple- 
domain  information. 

Commercial  intrusion  detec¬ 
tion  systems  protect  only  a  single 
network  or  a  collection  of  net¬ 
works  in  a  single  domain,  such  as 
pentagon.mil  or  lajes.af.mil. 
These  limitations  make  it  difficult 
even  to  detect  a  sweep  or  scan  at¬ 
tack  against  multiple  government 
and  military  installa¬ 
tions  in  a  single  geo¬ 
graphic  area,  espe¬ 
cially  if  they  repre¬ 
sent  different  de¬ 
partments  like  the 
Department  of  De¬ 
fense  and  the  De¬ 
partment  of  Energy, 
or  different  services,  such  as  the 
Army,  Air  Force,  and  Navy.  A 
seemingly  insignificant  intrusion 
at  one  location  would  acquire 
much  greater  importance  if  col¬ 
laboration  among  the  installations 
revealed  a  coordinated  set  of  at¬ 
tacks.  Therefore,  some  form  of 
data  sharing  is  needed  to  detect 
systemic  attacks  against  the  na¬ 
tion's  critical  information  infra¬ 
structure  that  involve  multiple 
hosts  and  domains. 

To  help  address  these  con¬ 
cerns,  we  have  developed  a  proto¬ 
type  called  HMMR  (Hierarchical 
Management  of  Misuse  Reports) 
or  Hummer.  The  prototype  and 
its  source  code  are  available  at 
http://www.cs.uidaho.edu/-~hum 
mer.  When  HMMR  is  fully  de¬ 
ployed,  every  host  has  a  Hummer 
running  on  it,  and  all  the  hosts  in 
a  domain  are  probably,  but  not 
necessarily,  arranged  in  some  hi¬ 


erarchical  fashion.  Each  domain 
has  a  top-level  manager,  and  those 
managers  may  agree  to  form  peer 
groups  with  top-level  managers 
from  other  domains.  Peer  groups 
can  also  be  formed  among  coop¬ 
erating  systems  at  other  levels.  In 
the  hierarchical  model,  manager 
and  subordinate  systems  do  not 
have  to  be  in  the  same  domain. 

The  Hummers  can  collect  data 
such  as  log  files,  usage  reports, 
commercial  tools,  and  freeware 
security  tools  and  scanners  from 
several  locations  on  their  host  ma¬ 
chine  and  put  the  acquired  data 
into  a  common  format.  However, 
these  capabilities  require  that  ad¬ 
ditional  coding  to  extract  data 
from  the  source  and  then  refor¬ 
mat  it  properly  for  the  Hummer 
to  use  and  distribute,  depending 


on  the  filters  created  by  that  host's 
system  administrator  or  high-level 
managers/administrators.  There- 
formatted  information  is  distrib¬ 
uted,  either  through  the  hierarchy 
or  to  all  the  other  peers  in  the 
peer  group,  The  filter  is  simply  a 
screen  that  determines  which  se¬ 
curity-relevant  information  is  to 
be  shared  with  other  hosts  and 
networks.  The  filters  can  be  gen¬ 
erated  quickly  through  one  of  the 
user  interfaces. 

Each  Hummer  has  a  World 
Wide  Web-based  interface  for  rela¬ 
tively  easy  configuration  and 
management  operations.  The 
Audit  Tool  Manager  lets  the  user 
pick  which  tools  to  use  at  any 
time.  It  also  offers  preconfigured 
suites  of  tools  for  "Possible  Intru¬ 
sion"  and  "Ongoing  Intrusion'' 
alert  levels.  These  resources 
allow  the  operator  to  turn  on  all 
policy-defined  tools  and  respond 


to  a  situation  with  only  a  few 
clicks  of  the  mouse  button.  Once 
a  top-level  manager  has  created  a 
particular  configuration,  he  can 
push  the  configuration,  including 
the  fi  Iters  to  be  used,  out  to  a  1 1  the 
other  Hummers  under  him  in  the 
hierarchy  in  a  few  minutes. 

The  following  scenario  illus¬ 
trates  the  Hummer's  use.  A  De¬ 
partment  of  Energy  (DOE)  re¬ 
search  laboratory  located  near  an 
Army  installation,  an  Air  Force  in¬ 
stallation,  and  a  major  govern¬ 
ment  contractor  has  formed  a 


peer  group  with  the  other  facili¬ 
ties  using  HMMR  so  the  organiza¬ 
tions  may  share  security-related 
information.  Normally,  the  data 
collection,  logging,  and  auditing 
tools  run  in  the  background  at  the 
DOE  lab:  to  avoid  negative  im¬ 
pact  on  the  user  com¬ 
munity,  only  a  small 
subset  of  Hummer 
\  tools  are  routinely 

Ib- turned  on.  One  day, 
■  wM  however,  an  alert  sys¬ 
tem  administrator 
sees  Hummer-gener¬ 
ated  information 
being  passed  to  her  system  from 
the  Army  installation  and  the  gov¬ 
ernment  contractor,  in  turn,  indi¬ 
cating  they  have  been  subjected  to 
port  scans.  Expecting  her  net¬ 
work  to  be  the  next  likely  target, 
the  system  administrator  turns  on 
additional  logging  immediately, 
confident  that  with  a  few  key¬ 
strokes,  the  more  information  she 
has,  the  better  her  chances  of  in¬ 
hibiting  the  intruder. 

Hummer  represents  only  one 
of  many  areas  in  our  ongoing  re¬ 
search.  The  most  important  area, 
we  believe,  is  developing  a  formal 
trust,  integrity,  and  cooperation 
(TIC)  mode!  among  hosts  across 
multiple  domains.  We  recognize 
that  data,  or  even  data  requests, 
from  a  peer  may  be  unreliable,  in¬ 
accurate,  or  deliberately  falsified, 
yet  there  remains  a  need  to  use 
available  global  information  to  ac- 
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Secum  Ynur  Distributed.  Network: 


What  Will  It  Take? 


by  Robert  Duchateffier 
Lucent  Technologies 


you  can  implement  policies  and 
procedures  to  reduce  significantly 
the  threat  of  unauthorized  access. 
One  approach  to  achieving  these 
goals  is  use  of  the  Lucent  Man¬ 
aged  Firewall,  now  available  in 
version  3.0. 

Originally  engineered  by  Bell 
Labs  to  protect  Lucent  Technolo¬ 
gies'  networks,  the  Firewall  is  de¬ 
signed  to  be  intrinsically  secure.  It 
physically  separates  the  security 
and  management  functions  to  im¬ 
prove  each  function's  security  and 
performance. 


erating  systems,  the  Security  Man¬ 
agement  Server  features  an  easy  to 
use  graphical  user  interface  (GUI). 
Asa  result,  network  administrators 
do  not  have  to  be  versed  in  operat¬ 
ing  systems  or  network  configura¬ 
tion  to  manage  the  system. 

The  Brick  uses  native  encryp¬ 
tion  and  authentication  features  to 
communicate  securely  with  the 
Security  Management  Server.  The 
administrator  works  with  the 
Security  Management 
Server  using  encrypt¬ 
ed  sessions  via  indus¬ 


Lucent  Technologies 


Today's  enterprises  rely  on  the 
World  Wide  Web  to  deliver  timely 
information  to  a  broad  base  of 
users,  branch  offices,  partners,  and 
customers.  As  more  information, 
content,  and  applications  become 
readily  available  via  the  Internet 
and  via  intranets  and  extranets, 
you  must  look  closely  at  the  secu¬ 
rity  requirements  of  your  organiza¬ 
tion's  servers,  systems,  and  net¬ 
works  and  ensure  that  you  protect 
these  critical  assets. 

Intranets,  extranets,  and  the  In¬ 
ternet  are  changing  our  world. 
They  distribute  information  and 
services  to  people,  no  matter 
where  they  are.  But  most  network 
security  systems  were  never  de¬ 
signed  for  distributed  environ¬ 
ments.  As  a  result,  they  cannot  de¬ 
liver  the  scalability  and  manage¬ 
ment  control  needed  to  support 
growth  and  still  remain  secure. 

Web  site  databases  and  other  ap- 
plication  systems  are  compro¬ 
mised  almost  every  day,  some¬ 
times  inadvertently,  sometimes 
with  malicious  intent,  and  some¬ 
times  for  the  so-called  fun  of 
"breaking  in."  No  system  is  ab¬ 
solutely  impervious  to  attack,  from 
both  internal  and  external  individ¬ 
uals  and  groups,  but  you  can  take 
steps  to  protect  your  systems,  and 


The  Lucent  network  security 
appliance,  called  "the  Brick,"  is  a 
bridge-level  device  that  runs  Infer¬ 
no™  operating  system  software,  a 
compact,  real-time  operating  sys¬ 
tem.  The  firewall  code  is  embed¬ 
ded  in  the  Inferno  operating  sys¬ 
tem  kernel.  The  Brick  eliminates 
common  points  of  vulnerability, 
including  user  logins,  files,  hard 
drive,  and  monitor.  The  resulting 
firewall  is  hard  to  break  and  easy  to 
maintain. 

The  Security  Management 
Server  software  handles  adminis¬ 
trative  functions.  Available  for 
Windows  NT®  and  Sun  Solaris®  op- 


try-standard  Secure 
Sockets  Layer  (SSL) 
and  Design  Engineering 
Services  (DES)  encrypted  links, 
all  of  which  are  built  in.  Included 
with  the  Lucent  Managed  Fire¬ 
walls  is  a  free  X.509  digital  certifi¬ 
cate  from  VeriSign. 

Additionally,  the  Lucent  Man¬ 
aged  Firewall  is  extremely  scalable 
and  easy  to  deploy.  Most  firewalls 
establish  security  rules  geographi¬ 
cally  or  physically.  Instead,  Lucent 
uses  security  zones  to  establish 
rules  logically.  One  Brick  can  sup¬ 
port  multiple  security  policies  or 
"zones,"  and  each  security  zone 
can  be  set  up  to  have  its  own  dis¬ 
tinct  set  of  rules,  with  report  logs 
and  alarms  customized  for  that 
zone.  Multiple  zones  can  be  man¬ 
aged  centrally  from  one  Security 
Management  Server.  This  ap¬ 
proach  makes  it  easy  for  you  to  en¬ 
force  multiple  security  policies 
across  multiple  Bricks,  regardless 
of  where  your  firewalls  are  located. 

The  Lucent  Managed  Firewall 
can  easily  scale  up  to  meet  your 
needs,  no  matter  how  large  they 
become.  As  the  network  grows, 
you  simply  add  Bricks  to  the  Secu¬ 
rity  Management  System.  Because 
the  firewall  appliance  is  imple¬ 
mented  as  a  bridge,  not  a  router, 
you  can  add  new  firewall  appli- 
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IA  Scientific  &  Technical  I nformation 


by  Robert  P.  Thompson 
Director,  l AT  AC 


Collection  of  scientific  and  tech¬ 
nical  information  (STI)  is  essential 
to  Information  Analysis  Center 
(I AC)  operations.  The  Information 
Assurance  Technology  Analysis 
Center  (IATAC)  collection  of  Infor¬ 
mation  Assurance  (!A)  STI  focuses 
on  technologies  that  support  the  de¬ 
sign,  development,  testing,  evalua¬ 
tion,  operations,  and  maintenance 
of  Department  of  Defense  (DoD) 
military  systems  and  infrastructure. 
STI  products  and  services  serve  to 
advance  the  knowledge  base  and 
productivity  of  the  DoD  research, 
development,  test,  and  evaluation 
(RDT&E)  community. 

IATAC  taps  many  sources  to  col¬ 
lect  I A  STI.  It  relies  on  direct  inter¬ 
face  with  vendors  supporting  the  I A 
community  as  a  primary  source  of 
information.  Nondisclosure  agree¬ 
ments  with  corporations  yield  infor¬ 
mation  on  emerging  research  and 
development  (R&D).  Release  of  STI 
obtained  through  non-disclosure  is 
tightly  controlled  as  delineated  in 
the  agreement  Technical  symposia 
and  conferences  also  provide  infor¬ 
mation,  and  seeks  conference  pro¬ 
ceedings  and  technical  papers  often 
become  part  of  the  STI  Collection. 
IATAC  also  interfaces  with  DoD  and 
other  Federal  Government  agencies 
also  facilitate  receipt  of  new  scien¬ 
tific  and  technical  information. 


Technical  Area  Tasks  also  produce's 
STI  and  helps  to  build  the  I A  collec¬ 
tion.  Finally,  open  source  gathering 
techniques  augment  collection  ac¬ 
tivities.  The  IATAC  collection  offers 
matierials  on  a  number  of  I A  STI 
topics,  including  those  listed  below. 

Information  in  the  I A  STI  collec¬ 
tion  is  available  to  registered  De¬ 
fense  Technical  Information  Center 
(DTIC)  users.  Secondary  distribu¬ 


tion  instructions  must  be  strictly  fol¬ 
lowed  to  ensure  compliance  with 
copyright  restrictions.  To  become  a 
registered  DTIC  user,  applicants 
must  complete  DD  Form  1540  avail¬ 
able  from  http://web1.whs.osd.mil/ 
icdhome/DDEFORMS.HTM. 

For  more  information  on  the  I A 
STI  Collection,  contact  IATAC  at 
703.902.3177  or  via  email  at 
iatac@dtic.mil. 


Command,  Control, 
f  Communications,  Com¬ 
puters  &  Intelligence  (C4I) 

Computer  Network 
*  Attacks  ( C  N A) 


f  Encryption 
|r  Fireballs 
Hackers 

%  Information  Assurance 
Information  Operations 


Information  Warfare 
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%  Intrusion  Detection 
4  Mai  ici  ous  C  ode  Detecti  on 
Fled  Teaming 
%  Vulnerability  Analysis 
Virus/Anti- Virus 
|  Year  2000  (Y2K) 


Secure  Your  Network 


ances  at  any  time  without  recon¬ 
figuring  the  router  network. 
With  the  release  of  the  Lucent 
Managed  Firewall  v3.0,  you  can 
also  manage  software  down¬ 
loads  remotely,  saving  time  and 
maintenance  expense. 

The  Lucent  Managed  Firewall 
can  operate  in  a  gateway  perime¬ 
ter  setting  to  protect  an  enterprise 
network  from  the  Internet  or  from 
partner  extranet  networks.  It  can 
separate  public  V\feb  servers  from 
sensitive  intranet  servers.  It  can 
also  separate  different  intranet 
segments.  Its  scalability  and  flexi¬ 
bility  can  handle  virtually  any 
type  of  appliction,  as  well  as  any 


continued  from  page  11 

size  and  type  of  infrastructure. 

Your  network  applications  and 
systems  are  only  as  secure  as  the 
weakest  point  of  entry.  To  secure 
your  network,  you  must  design 
the  system  to  provide  distributed 
security,  centralized  management 
and  scalability.  You  must  also  ad¬ 
here  to  strict  policies  and  train 
users  effectively.  Implementing 
these  steps  and  deploying  ad¬ 
vanced  firewall  technology  will 
provide  a  secure  system  to  support 
a  broad  range  of  applications, 
while  minimizing  the  threat  from 
unwelcome  guests.  T hese  compo¬ 
nents  build  the  strong  foundation 
required  to  ensure  maximum  se¬ 


curity  while  they  also  deliver  the 
flexibility  needed  to  grow  your  en¬ 
terprise. 

For  more  information,  contact 
Lucent  Technologies  at  888.552. 
2544  or  on-line  at  http://www.lu- 
cent.com/ security. 

Robert  Duchatellicr  received  an  MS. 
in  Industrial  and  Applied  Mathematics 
from  Brooklyn  Polytechnics  Institute  and 
an  MS.  in  Technology  Management 
from  Stevens  Institute  of  Technology.  l  ie 
is  amenity  Lucent  Technologies'  Lucent. 
Managed  Firewall  Sales  Channel 
Manager  for  the  US.  Government. 
Department  of  Defense,  and  Federal 
Agencies . 
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IMOV 

1-5 


NOV 

2-5 


NOV 

4-5 


JAN 

19-21 


25th  Annua!  Computer  Security 
Conference  &  Exhibition 
Sponsored  by  Computer  Security 
Institute  (CSI) 

Chicago,  IL 
call  415.905.2378 

www.gocsi.com 

The  Defense  Technical  Infor  mation 
Center  (DTIC)  Annual  Users 
Meeting  and  Training  Confer  ence 
DoubleTree  Hotel 
National  Airport,  Arlington,  VA 
call  Ms.  Julia  Foscue 

703.767.8236 

jfoscue@dtic.mil 

http://www.dtic.mil 

13th  Annua!  Mid-Atlantic 
Intelligence  Symposium 
Sponsored  by  AFCEA  Central 
Maryland  Chapter 

Johns  Hopkins  Applied  Physical  Lab 

(APL),  Laurel,  MD 

call  Dawn  Metzer  410.684.6580 

AFCEA  West  '99 

Sponsored  by  AFCEA  and  the 
U.S.  Naval  Institute 
San  Diego,  CA 

call  the  AFCEA  Programs  Office 
703.631.6125/6126 


MAR 

2-4 


Southeast  C4I  Conference  and 
Exposition 

Sponsored  by  the  AFCEA  Tampa 
—  St.  Petersburg  Chapter 
Tampa,  FL 

call  J.  Spargo  &  Associates 
703.631.6200 


DTIC's  Annual  Users  Meeting  &  Training  Conference 

This  year  DTIC  is  hosting  its  25th  Annual  Users 
Meeting  and  Training  Conference.  The  conference 
will  be  held  at  the  DoubleTree  Hotel  National  Air¬ 
port,  300  Army  Navy  Drive,  Arlington,  VA,  from  2-5 
November  1998.  The  agenda  is  packed  full  of  excit¬ 
ing  and  relevant  topics,  as  well  as  an  exhibit  room 
overflowing  with  vendors  from  every  aspect  of  In¬ 
formation  Technology  (IT). 

"Maintaining  the  Information  Edge"  is  the  theme 
for  the  conference,  and  the  sessions  are  geared  to 
this  topic.  DTIC  '98  will  address  the  information 
sources  and  changing  technologies  that  impact  those 
who  are  involved  in  Defense  Research  and  Acquisi¬ 
tion.  We  are  particularly  pleased  to  announce  this 
year's  keynote  speakers:  Lieutenant  General  David 
J.  Kelley,  Director,  Defense  Information  Systems 
Agency:  Mr.  Carol  Cini,  Associate  Director,  U.S.  Gov¬ 
ernment  Printing  Office;  and  Mr.  Richard  Luce,  Di¬ 
rector,  Los  Alamos  Research  Library.  Mr.  Louis  Pur¬ 
nell,  the  luncheon  speaker,  will  be  relating  his  ex¬ 
ploits  during  World  War  1 1  as  a  Tuskeegee  Airman. 

The  Conference  offers  four  days  of  varied  train¬ 
ing  sessions  that  enable  DTIC  users  to  collaborate  on 
the  latest  IT  topics.  Presentations  will  address  the 
most  current  issues  effecting  the  research,  develop¬ 
ment,  and  acquisition  communities.  Not  only  will 
these  speakers  acquaint  you  with  the  latest  policy 
and  operational  developments,  but  they  will  also 
provide  you  with  practical  details  on  valuable  and  di¬ 
verse  domestic  and  foreign  information  resources, 
security  issues,  the  \Aforld  Wide  Web,  virtual  libraries, 
video  streaming  and  the  storage  and  dissemination 
of  electronic  documents. 

Maintaining  the  Information  Edge  presents  excit¬ 
ing  new  challenges  —  DTIC  '98  promises  to  provide 
the  tools  to  expand  your  horizons  to  meet  these  chal¬ 
lenges!  For  more  information,  please  contact  Ms. 
Julia  Foscue,  the  DTIC  '98  Conference  Coordinator 
at  703.767.8236  or  via  e-mail:  jfoscue@dtic.mil,  or  ac¬ 
cess  the  DTIC  homepage  at  http://www.dtic.mil. 


Detecting  Intrusions 
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curately  assess  the  local  security 
posture.  Therefore,  a  formal 
model  must  include  multiple  lev¬ 
els  of  cooperation  and  trust  and 
must  provide  concise  definitions 
of  cooperation  and  trust  in  this 
context.  Other  considerations  to 
be  addressed  are  whether  the  co¬ 
operation  levels  should  be  statical¬ 
ly  or  dynamically  assigned  and 
how  quickly  or  gracefully  they 
should  be  adjusted  in  response  to 
the  most  current  data.  The  model 
must  also  take  into  account  the 
various  costs  of  cooperation,  in¬ 
cluding  data  collection,  transmis- 
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sion,  and  sanitization  and  the  ex¬ 
posure  risk  of  the  local  network. 

While  most  of  the  structure 
has  been  coded  by  undergradu¬ 
ates  (Jamie  Marconi,  Jesse  Mc¬ 
Connell,  Dean  Polla,  and  Joel 
Marlow)  so  far,  we  hope  our 
work  on  Project  HMMR  and  our 
future  research  will  encourage 
other  researchers  to  explore 
new  ideas  for  addressing  the 
risks  facing  the  critical  informa¬ 
tion  infrastructure.  We  have 
shown  that  cooperative  intru¬ 
sion  detection  can  be  achieved, 
and  we  believe  it  must  be 


achieved  to  help  ensure  nation¬ 
al  security  in  the  future. 


.Donald  Tobin,  is  a  doctoral  student,  at 
die  University  of  Idaho  and  a  research 
assistant  at  the  Center  for  Secure  and 
Dependable  Software.  His  primary 
research  interests  are  in  intrusion  detec¬ 


tion,  neural  networks,  and  information 
warfare.  He  is  a  retired  Air  Force  officer 
and  has  worked  with  a  variety  of  conr 
munication,  satellite,  and  missile  warn¬ 


ing  systems.  He  earned  his  MS.  in 
Computer  Science  from  Boston 
University  and  his  B.S.  in  Mathematics 
from  the  University  of  Texas . 
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(A  Tools  Report: _ F. I RJE\WALLS 


The  Information  Assurance 
(IA)  Tools  Report  on  Firewall 
tools  is  now  available  to  regis¬ 
tered  DTIC  users.  This  report 
provides  an  index  of  firewall 
products  contained  in  the  I A 
Tools  database.  It  summarizes 
pertinent  information,  provid¬ 
ing  users  with  a  brief  descrip¬ 
tion  of  available  tools  and  con¬ 
tact  information.  As  a  living 
document,  this  report  will  be 
updated  periodically  as  addi¬ 
tional  information  is  entered 
into  the  database. 

Currently  the  I A  tools  data¬ 
base  contains  46  firewall  tools 
that  are  available  in  the  com¬ 
mercial  marketplace  or 
through  GSA  contracts.  The 


I A  Tools  Reports  — 

Vulnerability  Analysis  &  Modeling  &  Simulation 

Intrusion  Detection  Technical  Report 


This  IA  Tools  reports  summarize 
pertinent  information,  providing 
users  with  a  brief  description  of 
available  tools  and  contact  informa¬ 
tion.  As  living  documents,  these 
reports  will  be  updated  periodically 
as  additional  information  is  entered 
into  the  databases. 

Currently  the  Vulnerability 
Analysis  IA  Tools  database  contains 
descriptions  of  35  tools  that  can  be 
used  to  support  vulnerability  and 
risk  assessment.  Research  for  the 
Intrusion  Detection  I A  Tools  report 
identified  43  intrusion  detection 
tools  currently  employed  and  avail¬ 
able. 


This  report  describes  the  mod¬ 
els,  simulations  and  tools  being 
used  or  developed  by  selected  orga¬ 
nizations  that  are  chartered  with 
the  I A  mission.  T  he  definitions  pre- 
scribed  by  DMSO  for  model  and 
simulation  were  used  to  determine 
what  entities  should  be  included  in 
this  IA  models,  simulations  and 
tools  report. 


Mawf-Ero.dM.cts. 

firewall  products  provide  a  range 
of  solutions  to  meet  various  fire¬ 
wall  requirements.  These  solu¬ 
tions  can  provide  protection  of  in¬ 
ternal  networks  and  provide  se¬ 
cure  Internet  and  remote  access 
connections.  The  database  was 
built  by  gathering  open-source 
data,  analyzing  that  data,  coordi¬ 
nating  with  the  respective  firewall 
developer,  and  then  formatting 
the  data  into  the  final  report.  The 
information  includes  a  basic  de¬ 
scription,  security  services  and 
mechanisms,  availability,  contact, 
and  reseller/  distributors  for  each 
firewall  product  included.  For  in¬ 
structions  on  obtaining  a  copy  of 
this  report,  refer  to  the  IATAC 
Product  Order  Form. 


Malicious  Code  Detection 

State-Of-The-Art  Report 

This  SOAR  addresses  malicious 
software  detection.  Included  is  a 
taxonomy  for  malicious  software  to 
provide  the  audience  with  a  better 
understanding  of  commercial  mali¬ 
cious  software.  An  overview  of  the 
current  state-of-the-art  commercial 
products  and  initiatives,  as  well  as 
future  trends  is  presented.  The 
same  is  then  done  for  current  state- 
of-the-art  in  regards  to  DoD.  Lastly, 
the  report  presents  observations 
and  assertions  to  support  the  DoD 
as  it  grapples  with  this  problem 
entering  the  21st  century. 
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IMPORTANT  NOTE:  All  IATAC  Products  are  distributed  through  the  Defense  Technical  Information 
Center  (DTIC).  If  you  are  NOT  a  registered  DTIC  user,  you  must  do  so  PRIOR  to  ordering  any  IATAC 
products.  To  register  with  DTIC  go  to  http:llwww.dtic.milldticlregprocess.htmi. 
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